Uber left its lost-and-found database open to anyone on the internet

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

UberThe Uber ride-sharing service is dogged by its fair share of controversies, and now another one has emerged which suggests – like many online companies before it – it has grown too big, too fast, and not had security embedded in its soul.

As Motherboard reports, records from its South California operations have been accidentally exposed on the internet – revealing the phone numbers of some customers, and that at least two drivers were demanding financial payments for the return of items left in the back of vehicles.

Uber lost-and-found list

Motherboard reporters were able to access what should have been an internal webpage, showing 155 items in the Uber district’s lost-and-found directory, including the usual array of iPhones, credit cards, wallets, spectacles and selfie sticks.

Sign up to our free newsletter.
Security news, advice, and tips.

Uber lost-and-found list

Two hours after the press published a story about the data leaking from Uber, the webpage was removed from public access.

Such a leak of information is, of course, evidence of not just bad design – but also an indication that privacy and security are not part of the company’s DNA.

Maybe in time, if it lasts that long, Uber will learn that the privacy of customers is sacrosanct and everything should be done to make mistakes like this impossible. But until that day, you have to cross your fingers and trust that they’re not going to have another accident, or indeed dump you on the side of a motorway at 3am.

My guess is that Uber hasn’t learnt to walk the privacy walk yet. In fact, my guess is that they’re probably still crawling.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Uber left its lost-and-found database open to anyone on the internet”

  1. Coyote

    "Maybe in time, if it lasts that long, "
    Let's hope not.

    "Uber will learn that the privacy of customers is sacrosanct and everything should be done to make mistakes like this impossible. But until that day, you have to cross your fingers and "
    Yes, mistakes are forgiveable in certain circumstances but iff they actually learn from them (and act on what was learnt). That is iff, not 'if'. Big difference. Still, this type of mistake is hardly acceptable (and I'll not get in to the actual politics of the contents of and the story itself i.e. the leaked data).

    "trust that they're not going to have another accident, or indeed dump you on the side of a motorway at 3am."
    Well there's no words for that example, not the example itself. Even more reason to wish they don't survive (as a company). If they do, though, hopefully they wake up to that type of thing – that is directly against their service, isn't it? Of course a lot of things are against their service but I suppose that's besides the point.

    "My guess is that Uber hasn't learnt to walk the privacy walk yet. In fact, my guess is that they're probably still crawling."
    Indeed. Regrettable that their vehicles aren't crawling too so as to actually prevent others from using their service and getting themselves in to trouble (of course there is always the other, better option of they actually improve; however, at this time, it doesn't seem like it'll be any time soon).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.